Medium SOA-C02 practice questions
Applied — put a concept to work in a realistic situation. 128 medium questions available — no sign-up, always free.
A SysOps administrator must enable HTTPS for a public-facing web application served by an Application Load Balancer (ALB). Security requires that the TLS certificate be automatically renewed to avoid expiration-related outages, and that no certificate private keys are ever stored on or accessible by the EC2 instances. Which approach meets these requirements with the least operational overhead?
A SysOps administrator manages a public-facing website behind an Application Load Balancer using an ACM certificate that was issued with DNS validation. The certificate is approaching its expiration date, and CloudWatch shows the certificate is NOT being automatically renewed. The domain's DNS is hosted in Amazon Route 53 in the same account. What is the MOST likely cause of the failed automatic renewal?
A SysOps administrator manages an Application Load Balancer (ALB) that distributes traffic to an Auto Scaling group spanning three Availability Zones. After a recent scaling event, the group has 6 instances in us-east-1a, 2 in us-east-1b, and 2 in us-east-1c. Users report that the instances in us-east-1b and us-east-1c are receiving noticeably higher CPU utilization than those in us-east-1a. What is the most likely cause of this uneven load?
A SysOps administrator manages an EC2 Auto Scaling group behind an Application Load Balancer. The application takes about 4 minutes to fully initialize and pass the ALB target group health checks after an instance launches. The Auto Scaling group is configured to use ELB health checks. Administrators notice that newly launched instances are being terminated and replaced repeatedly, causing a launch loop that never stabilizes. What is the MOST likely cause and appropriate fix?
A SysOps administrator manages a stateful web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. Each instance maintains long-running upload sessions. During scale-in events, users report that in-progress uploads are abruptly terminated before completing. The administrator needs to ensure that instances complete active sessions before being terminated. Which approach BEST solves this problem?
A company runs a stateless web application on an EC2 Auto Scaling group spanning three Availability Zones behind an Application Load Balancer. After a large scale-in event followed by manual instance terminations during troubleshooting, a SysOps administrator notices that 8 of the 10 running instances are concentrated in a single Availability Zone. The team is concerned that an AZ failure could remove most of the fleet's capacity. Which action will BEST ensure the Auto Scaling group maintains a balanced distribution of instances across the Availability Zones going forward?
An e-commerce company runs a web application on an EC2 Auto Scaling group behind an Application Load Balancer. Every business day, traffic spikes sharply at exactly 9:00 AM when a marketing email is sent, and the surge lasts about two hours. During this window, the application currently responds slowly because target tracking scaling reacts only after CloudWatch metrics breach thresholds, leaving a few minutes of under-provisioning. The company wants capacity available the moment the spike begins. What is the MOST effective way to address this?
A SysOps administrator manages an EC2 Auto Scaling group behind an Application Load Balancer for a web application. The application experiences unpredictable, large traffic spikes where CPU utilization can jump from 40% to 90% within a minute. The current target tracking policy targeting 50% average CPU adds instances too slowly during these sudden bursts, causing brief periods of degraded performance. The administrator needs the scaling response to be more aggressive as the breach magnitude increases. Which scaling configuration change BEST addresses this requirement?
A SysOps administrator manages a web application behind an Application Load Balancer with an EC2 Auto Scaling group. Traffic patterns are unpredictable, and CPU utilization stays low even during peak periods because the workload is I/O bound. During traffic surges, users experience slow responses even though the CPU-based target tracking policy never triggers scale-out. The administrator needs the group to scale based on how much traffic each instance actually handles. Which scaling configuration BEST addresses this?
A SysOps administrator manages a production application that stores data in an Amazon RDS for PostgreSQL Multi-AZ instance and several Amazon EBS volumes in the us-east-1 Region. The compliance team requires that all backups be retained for 90 days and that a copy of every backup exist in the us-west-2 Region to meet disaster recovery objectives. The solution must be centrally managed and automated with minimal operational overhead. Which approach BEST meets these requirements?
A SysOps administrator manages backups for a fleet of EC2 instances and RDS databases using AWS Backup. During a recent audit, the compliance team asked for proof that the backups are actually recoverable and meet the documented 4-hour RTO. The administrator wants an automated, repeatable way to validate that recovery points can be successfully restored on a recurring schedule, without manually launching restores each time. Which approach should the administrator implement?
A financial services company must ensure that its EBS and RDS backups cannot be deleted or have their retention periods shortened by anyone—including administrators with full AWS Backup permissions—for a mandatory 7-year compliance retention. A SysOps administrator has already created an AWS Backup vault and a backup plan that copies backups into it. Which action will enforce this immutable retention requirement?
A SysOps administrator manages a development AWS account where engineers frequently leave EC2 instances running overnight. Management wants an automated control that not only alerts the team when monthly EC2 spend exceeds $2,000 but also automatically applies a restrictive IAM policy to prevent launching additional instances once the threshold is crossed. Which solution meets these requirements with the least custom development?
A SysOps administrator is authoring a CloudFormation template that provisions EC2 instances running a web application. The instances must install packages, write configuration files, and start services in a specific, ordered sequence during launch. The administrator also wants the CloudFormation stack to wait until the bootstrap process completes successfully before marking the resource CREATE_COMPLETE, and to report a failure if the configuration does not finish. Which approach best meets these requirements?
A SysOps administrator deploys an EC2 instance via AWS CloudFormation. A UserData script installs and configures a large application that takes several minutes to finish. The team notices that CloudFormation reports CREATE_COMPLETE for the instance almost immediately, before the application is actually ready, causing dependent resources to fail. What is the correct way to ensure CloudFormation waits until the application setup completes before marking the resource successful?
A SysOps administrator manages a production application using a single CloudFormation stack. The stack contains an RDS DB instance, an EC2 Auto Scaling group, and several security groups. Before applying a template update that modifies the RDS instance class and adds a new parameter, the administrator must understand exactly which resources will be modified, replaced, or deleted — without actually applying any changes to the running environment. What is the MOST appropriate way to obtain this information?
A SysOps administrator manages two separate CloudFormation stacks. A networking stack creates a VPC and subnets and exposes their IDs using the Export field in its Outputs section. An application stack references these values with Fn::ImportValue. When the administrator attempts to delete the networking stack, the deletion fails. What is the cause, and how should the administrator resolve it?
A SysOps administrator manages a CloudFormation stack that provisions an application tier and an RDS DB instance holding production data. During a planned decommissioning of the application, the team will delete the stack, but they must ensure the RDS DB instance and its data are NOT destroyed when the stack is deleted. What is the MOST appropriate way to guarantee the database survives stack deletion?
A SysOps administrator manages production infrastructure using an AWS CloudFormation stack. During an incident, another engineer manually modified a security group's inbound rules directly in the EC2 console to restore service quickly. The administrator now needs to identify every resource in the stack whose live configuration no longer matches the template, without modifying or replacing any resources. Which approach accomplishes this?
A SysOps administrator is building a CloudFormation architecture for a multi-tier application. A parent stack must provision a shared VPC and subnets, and several child stacks (application, database, and cache tiers) must reference the VPC ID and subnet IDs created by the networking layer. The administrator wants the tiers deployed and managed as a single deployable unit, so that updating or deleting the parent stack automatically manages all tiers together. Which approach meets these requirements?
A SysOps administrator manages a production CloudFormation stack that includes an RDS DB instance and several EC2 instances. During routine stack updates, developers occasionally submit template changes that would inadvertently replace or delete the RDS DB instance, causing data loss. The administrator wants to prevent updates to the RDS resource specifically while still allowing updates to the EC2 resources through the normal update process. What should the administrator implement?
A SysOps administrator manages a standardized VPC baseline deployed to 40 accounts across an organization using a CloudFormation StackSet. During a security audit, the administrator discovers that in several member accounts, engineers manually modified security group rules and NACLs that were originally provisioned by the StackSet. The administrator needs to identify which stack instances no longer match their template configuration and then bring them back into compliance with the intended baseline. Which approach accomplishes this with the least manual effort?
A SysOps administrator manages an AWS Organizations environment with three organizational units (OUs): Dev, Staging, and Production. The security team wants to deploy a standardized IAM configuration and a CloudTrail baseline to every existing and future account in the Production OU. The administrator wants the deployments to happen automatically when new accounts are added to the OU, with minimal ongoing manual effort. Which approach meets these requirements?
A SysOps administrator manages a CloudFront distribution in front of an Application Load Balancer serving a product catalog application. The application returns different content based on a 'category' query string parameter, but users report they consistently see the same product list regardless of the category they select. CloudWatch shows a high cache hit ratio at CloudFront. What is the MOST likely cause and the correct remediation?
A media company serves static images through a CloudFront distribution backed by an S3 origin. Monitoring shows a low cache hit ratio and higher-than-expected origin request volume, driving up S3 GET costs. Investigating the origin responses, the SysOps administrator finds that S3 returns objects with a Cache-Control: max-age=60 header, and the distribution's cache behavior is configured to use origin cache headers with a Minimum TTL of 0, Maximum TTL of 60, and Default TTL of 0. The images rarely change. What is the MOST effective change to increase the cache hit ratio?